* [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian @ 2026-06-29 7:55 Alexander Wilhelm 2026-07-02 8:12 ` Baochen Qiang 0 siblings, 1 reply; 10+ messages in thread From: Alexander Wilhelm @ 2026-06-29 7:55 UTC (permalink / raw) To: Jeff Johnson; +Cc: linux-wireless, ath12k, linux-kernel, Alexander Wilhelm The ath12k_dp_get_mac_addr function performs a simple memcpy from a CPU-native data types into an u8 array. On a big-endian architecture, this later results in a null‑pointer dereference. Convert the data to little‑endian first, then copy it into the target array. Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com> --- drivers/net/wireless/ath/ath12k/dp.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/dp.h b/drivers/net/wireless/ath/ath12k/dp.h index f8cfc7bb29dd..50957915dbf4 100644 --- a/drivers/net/wireless/ath/ath12k/dp.h +++ b/drivers/net/wireless/ath/ath12k/dp.h @@ -647,8 +647,11 @@ int ath12k_dp_arch_rx_tid_delete_handler(struct ath12k_dp *dp, static inline void ath12k_dp_get_mac_addr(u32 addr_l32, u16 addr_h16, u8 *addr) { - memcpy(addr, &addr_l32, 4); - memcpy(addr + 4, &addr_h16, ETH_ALEN - 4); + __le32 le_addr_l32 = cpu_to_le32(addr_l32); + __le16 le_addr_h16 = cpu_to_le16(addr_h16); + + memcpy(addr, &le_addr_l32, 4); + memcpy(addr + 4, &le_addr_h16, ETH_ALEN - 4); } static inline struct ath12k_dp * --- base-commit: 702847e8cfd51856836a282db2073defd7cfd80c change-id: 20260317-fix-mac-addr-copy-on-big-endian-f1a4fea40184 Best regards, -- Alexander Wilhelm <alexander.wilhelm@westermo.com> ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-06-29 7:55 [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian Alexander Wilhelm @ 2026-07-02 8:12 ` Baochen Qiang 2026-07-02 8:41 ` Alexander Wilhelm 0 siblings, 1 reply; 10+ messages in thread From: Baochen Qiang @ 2026-07-02 8:12 UTC (permalink / raw) To: Alexander Wilhelm, Jeff Johnson; +Cc: linux-wireless, ath12k, linux-kernel On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > The ath12k_dp_get_mac_addr function performs a simple memcpy from a > CPU-native data types into an u8 array. On a big-endian architecture, this > later results in a null‑pointer dereference. Convert the data to Alex, did you find a time to investigate the root cause of the null pointer? > little‑endian first, then copy it into the target array. > > Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com> > --- > drivers/net/wireless/ath/ath12k/dp.h | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/ath/ath12k/dp.h b/drivers/net/wireless/ath/ath12k/dp.h > index f8cfc7bb29dd..50957915dbf4 100644 > --- a/drivers/net/wireless/ath/ath12k/dp.h > +++ b/drivers/net/wireless/ath/ath12k/dp.h > @@ -647,8 +647,11 @@ int ath12k_dp_arch_rx_tid_delete_handler(struct ath12k_dp *dp, > > static inline void ath12k_dp_get_mac_addr(u32 addr_l32, u16 addr_h16, u8 *addr) > { > - memcpy(addr, &addr_l32, 4); > - memcpy(addr + 4, &addr_h16, ETH_ALEN - 4); > + __le32 le_addr_l32 = cpu_to_le32(addr_l32); > + __le16 le_addr_h16 = cpu_to_le16(addr_h16); > + > + memcpy(addr, &le_addr_l32, 4); > + memcpy(addr + 4, &le_addr_h16, ETH_ALEN - 4); > } > > static inline struct ath12k_dp * > > --- > base-commit: 702847e8cfd51856836a282db2073defd7cfd80c > change-id: 20260317-fix-mac-addr-copy-on-big-endian-f1a4fea40184 > > Best regards, ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-02 8:12 ` Baochen Qiang @ 2026-07-02 8:41 ` Alexander Wilhelm 2026-07-02 9:17 ` Alexander Wilhelm 0 siblings, 1 reply; 10+ messages in thread From: Alexander Wilhelm @ 2026-07-02 8:41 UTC (permalink / raw) To: Baochen Qiang; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: > > > On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > > The ath12k_dp_get_mac_addr function performs a simple memcpy from a > > CPU-native data types into an u8 array. On a big-endian architecture, this > > later results in a null‑pointer dereference. Convert the data to > > Alex, did you find a time to investigate the root cause of the null pointer? Sorry, I haven't had a chance to look into it yet. However, it's on my to-do list. I will try to reproduce the issue again as soon as possible. Best regards Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-02 8:41 ` Alexander Wilhelm @ 2026-07-02 9:17 ` Alexander Wilhelm 2026-07-02 9:56 ` Baochen Qiang 0 siblings, 1 reply; 10+ messages in thread From: Alexander Wilhelm @ 2026-07-02 9:17 UTC (permalink / raw) To: Baochen Qiang; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: > On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: > > > > > > On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > > > The ath12k_dp_get_mac_addr function performs a simple memcpy from a > > > CPU-native data types into an u8 array. On a big-endian architecture, this > > > later results in a null‑pointer dereference. Convert the data to > > > > Alex, did you find a time to investigate the root cause of the null pointer? Hi Baochen, I am now running kernel v6.18.26, and it looks like the null-pointer issue is gone. I only see the following log messages: ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 Should I rebase the patch onto the latest `ath/master` branch and update the commit description accordingly? Best regards Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-02 9:17 ` Alexander Wilhelm @ 2026-07-02 9:56 ` Baochen Qiang 2026-07-02 12:06 ` Alexander Wilhelm 0 siblings, 1 reply; 10+ messages in thread From: Baochen Qiang @ 2026-07-02 9:56 UTC (permalink / raw) To: Alexander Wilhelm; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: > On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: >> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: >>> >>> >>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: >>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a >>>> CPU-native data types into an u8 array. On a big-endian architecture, this >>>> later results in a null‑pointer dereference. Convert the data to >>> >>> Alex, did you find a time to investigate the root cause of the null pointer? > > Hi Baochen, > > I am now running kernel v6.18.26, and it looks like the null-pointer issue is > gone. I only see the following log messages: > > ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 what is the actual mac addr reported from firmware in the PEER MAP event? My understanding is that, without this patch (if we really need it) we get a wrong mac addr, then in ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would create a new peer and wakeup the waiting thread. But the log here clearly indicates that the wait timeout, which does not make sense to me. > ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 > ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started > ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 > > Should I rebase the patch onto the latest `ath/master` branch and update the > commit description accordingly? > > > Best regards > Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-02 9:56 ` Baochen Qiang @ 2026-07-02 12:06 ` Alexander Wilhelm 2026-07-03 4:04 ` Baochen Qiang 0 siblings, 1 reply; 10+ messages in thread From: Alexander Wilhelm @ 2026-07-02 12:06 UTC (permalink / raw) To: Baochen Qiang; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On Thu, Jul 02, 2026 at 05:56:01PM +0800, Baochen Qiang wrote: > > > On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: > > On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: > >> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: > >>> > >>> > >>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > >>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a > >>>> CPU-native data types into an u8 array. On a big-endian architecture, this > >>>> later results in a null‑pointer dereference. Convert the data to > >>> > >>> Alex, did you find a time to investigate the root cause of the null pointer? > > > > Hi Baochen, > > > > I am now running kernel v6.18.26, and it looks like the null-pointer issue is > > gone. I only see the following log messages: > > > > ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > > what is the actual mac addr reported from firmware in the PEER MAP event? My understanding > is that, without this patch (if we really need it) we get a wrong mac addr, then in > ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would > create a new peer and wakeup the waiting thread. But the log here clearly indicates that > the wait timeout, which does not make sense to me. I have now added the following debug output for `peer_map_ev` inside of `ath12k_dp_htt_htc_t2h_msg_handler`: /* DEBUG */ switch (type) { case HTT_T2H_MSG_TYPE_PEER_MAP: case HTT_T2H_MSG_TYPE_PEER_MAP2: case HTT_T2H_MSG_TYPE_PEER_MAP3: ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info: %08X\n", le32_to_cpu(resp->peer_map_ev.info)); ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.mac_addr_l32: %08X\n", le32_to_cpu(resp->peer_map_ev.mac_addr_l32)); ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info1: %08X\n", le32_to_cpu(resp->peer_map_ev.info1)); ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info2: %08X\n", le32_to_cpu(resp->peer_map_ev.info2)); break; default: break; } Here is the result: ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 Let me know if you see anything suspicious or if you need additional debug information. Best regards Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-02 12:06 ` Alexander Wilhelm @ 2026-07-03 4:04 ` Baochen Qiang 2026-07-03 6:36 ` Alexander Wilhelm 0 siblings, 1 reply; 10+ messages in thread From: Baochen Qiang @ 2026-07-03 4:04 UTC (permalink / raw) To: Alexander Wilhelm; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On 7/2/2026 8:06 PM, Alexander Wilhelm wrote: > On Thu, Jul 02, 2026 at 05:56:01PM +0800, Baochen Qiang wrote: >> >> >> On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: >>> On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: >>>> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: >>>>> >>>>> >>>>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: >>>>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a >>>>>> CPU-native data types into an u8 array. On a big-endian architecture, this >>>>>> later results in a null‑pointer dereference. Convert the data to >>>>> >>>>> Alex, did you find a time to investigate the root cause of the null pointer? >>> >>> Hi Baochen, >>> >>> I am now running kernel v6.18.26, and it looks like the null-pointer issue is >>> gone. I only see the following log messages: >>> >>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 >> >> what is the actual mac addr reported from firmware in the PEER MAP event? My understanding >> is that, without this patch (if we really need it) we get a wrong mac addr, then in >> ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would >> create a new peer and wakeup the waiting thread. But the log here clearly indicates that >> the wait timeout, which does not make sense to me. I think I can understand the behavior here: even if wakeup happens, the waiter in ath12k_wait_for_dp_link_peer_common() checks the map result by calling ath12k_dp_link_peer_find_by_vdev_and_addr(). Since the mac addr of the newly created peer does not match, check failed. Finally we get timeout. > > I have now added the following debug output for `peer_map_ev` inside of > `ath12k_dp_htt_htc_t2h_msg_handler`: > > /* DEBUG */ > switch (type) { > case HTT_T2H_MSG_TYPE_PEER_MAP: > case HTT_T2H_MSG_TYPE_PEER_MAP2: > case HTT_T2H_MSG_TYPE_PEER_MAP3: > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info: %08X\n", le32_to_cpu(resp->peer_map_ev.info)); > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.mac_addr_l32: %08X\n", le32_to_cpu(resp->peer_map_ev.mac_addr_l32)); > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info1: %08X\n", le32_to_cpu(resp->peer_map_ev.info1)); > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info2: %08X\n", le32_to_cpu(resp->peer_map_ev.info2)); > break; > default: > break; > } > > Here is the result: > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 > ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 > ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started > ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 > > Let me know if you see anything suspicious or if you need additional debug > information. I am not really sure about the final mac addr and vdev id passed to ath12k_dp_link_peer_map_event(), so can you also add print below? diff --git a/drivers/net/wireless/ath/ath12k/dp_peer.c b/drivers/net/wireless/ath/ath12k/dp_peer.c index 47d009a0d61f..3e8201d536a5 100644 --- a/drivers/net/wireless/ath/ath12k/dp_peer.c +++ b/drivers/net/wireless/ath/ath12k/dp_peer.c @@ -162,6 +162,9 @@ void ath12k_dp_link_peer_map_event(struct ath12k_base *ab, u8 vdev_id, u16 peer_ struct ath12k_dp *dp = ath12k_ab_to_dp(ab); struct ath12k *ar; + pr_info("peer map event: vdev_id %u peer_id %u mac_addr %pM ast_hash %u hw_peer_id %u\n", + vdev_id, peer_id, mac_addr, ast_hash, hw_peer_id); + spin_lock_bh(&dp->dp_lock); peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, vdev_id, mac_addr); if (!peer) { > > > Best regards > Alexander Wilhelm ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-03 4:04 ` Baochen Qiang @ 2026-07-03 6:36 ` Alexander Wilhelm 2026-07-03 7:10 ` Baochen Qiang 0 siblings, 1 reply; 10+ messages in thread From: Alexander Wilhelm @ 2026-07-03 6:36 UTC (permalink / raw) To: Baochen Qiang; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On Fri, Jul 03, 2026 at 12:04:10PM +0800, Baochen Qiang wrote: > > > On 7/2/2026 8:06 PM, Alexander Wilhelm wrote: > > On Thu, Jul 02, 2026 at 05:56:01PM +0800, Baochen Qiang wrote: > >> > >> > >> On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: > >>> On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: > >>>> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: > >>>>> > >>>>> > >>>>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > >>>>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a > >>>>>> CPU-native data types into an u8 array. On a big-endian architecture, this > >>>>>> later results in a null‑pointer dereference. Convert the data to > >>>>> > >>>>> Alex, did you find a time to investigate the root cause of the null pointer? > >>> > >>> Hi Baochen, > >>> > >>> I am now running kernel v6.18.26, and it looks like the null-pointer issue is > >>> gone. I only see the following log messages: > >>> > >>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > >> > >> what is the actual mac addr reported from firmware in the PEER MAP event? My understanding > >> is that, without this patch (if we really need it) we get a wrong mac addr, then in > >> ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would > >> create a new peer and wakeup the waiting thread. But the log here clearly indicates that > >> the wait timeout, which does not make sense to me. > > I think I can understand the behavior here: even if wakeup happens, the waiter in > ath12k_wait_for_dp_link_peer_common() checks the map result by calling > ath12k_dp_link_peer_find_by_vdev_and_addr(). Since the mac addr of the newly created peer > does not match, check failed. Finally we get timeout. > > > > > I have now added the following debug output for `peer_map_ev` inside of > > `ath12k_dp_htt_htc_t2h_msg_handler`: > > > > /* DEBUG */ > > switch (type) { > > case HTT_T2H_MSG_TYPE_PEER_MAP: > > case HTT_T2H_MSG_TYPE_PEER_MAP2: > > case HTT_T2H_MSG_TYPE_PEER_MAP3: > > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info: %08X\n", le32_to_cpu(resp->peer_map_ev.info)); > > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.mac_addr_l32: %08X\n", le32_to_cpu(resp->peer_map_ev.mac_addr_l32)); > > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info1: %08X\n", le32_to_cpu(resp->peer_map_ev.info1)); > > ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info2: %08X\n", le32_to_cpu(resp->peer_map_ev.info2)); > > break; > > default: > > break; > > } > > > > Here is the result: > > > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 > > ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > > ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 > > ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started > > ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 > > > > Let me know if you see anything suspicious or if you need additional debug > > information. > > I am not really sure about the final mac addr and vdev id passed to > ath12k_dp_link_peer_map_event(), so can you also add print below? > > diff --git a/drivers/net/wireless/ath/ath12k/dp_peer.c > b/drivers/net/wireless/ath/ath12k/dp_peer.c > index 47d009a0d61f..3e8201d536a5 100644 > --- a/drivers/net/wireless/ath/ath12k/dp_peer.c > +++ b/drivers/net/wireless/ath/ath12k/dp_peer.c > @@ -162,6 +162,9 @@ void ath12k_dp_link_peer_map_event(struct ath12k_base *ab, u8 vdev_id, > u16 peer_ > struct ath12k_dp *dp = ath12k_ab_to_dp(ab); > struct ath12k *ar; > > + pr_info("peer map event: vdev_id %u peer_id %u mac_addr %pM ast_hash %u hw_peer_id > %u\n", > + vdev_id, peer_id, mac_addr, ast_hash, hw_peer_id); > + > spin_lock_bh(&dp->dp_lock); > peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, vdev_id, mac_addr); > if (!peer) { Sure, here is the output: ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 peer map event: vdev_id 0 peer_id 2 mac_addr d902298bM ast_hash 5 hw_peer_id 757 ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 Best regards Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-03 6:36 ` Alexander Wilhelm @ 2026-07-03 7:10 ` Baochen Qiang 2026-07-03 7:48 ` Alexander Wilhelm 0 siblings, 1 reply; 10+ messages in thread From: Baochen Qiang @ 2026-07-03 7:10 UTC (permalink / raw) To: Alexander Wilhelm; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On 7/3/2026 2:36 PM, Alexander Wilhelm wrote: > On Fri, Jul 03, 2026 at 12:04:10PM +0800, Baochen Qiang wrote: >> >> >> On 7/2/2026 8:06 PM, Alexander Wilhelm wrote: >>> On Thu, Jul 02, 2026 at 05:56:01PM +0800, Baochen Qiang wrote: >>>> >>>> >>>> On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: >>>>> On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: >>>>>> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: >>>>>>> >>>>>>> >>>>>>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: >>>>>>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a >>>>>>>> CPU-native data types into an u8 array. On a big-endian architecture, this >>>>>>>> later results in a null‑pointer dereference. Convert the data to >>>>>>> >>>>>>> Alex, did you find a time to investigate the root cause of the null pointer? >>>>> >>>>> Hi Baochen, >>>>> >>>>> I am now running kernel v6.18.26, and it looks like the null-pointer issue is >>>>> gone. I only see the following log messages: >>>>> >>>>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 >>>> >>>> what is the actual mac addr reported from firmware in the PEER MAP event? My understanding >>>> is that, without this patch (if we really need it) we get a wrong mac addr, then in >>>> ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would >>>> create a new peer and wakeup the waiting thread. But the log here clearly indicates that >>>> the wait timeout, which does not make sense to me. >> >> I think I can understand the behavior here: even if wakeup happens, the waiter in >> ath12k_wait_for_dp_link_peer_common() checks the map result by calling >> ath12k_dp_link_peer_find_by_vdev_and_addr(). Since the mac addr of the newly created peer >> does not match, check failed. Finally we get timeout. >> >>> >>> I have now added the following debug output for `peer_map_ev` inside of >>> `ath12k_dp_htt_htc_t2h_msg_handler`: >>> >>> /* DEBUG */ >>> switch (type) { >>> case HTT_T2H_MSG_TYPE_PEER_MAP: >>> case HTT_T2H_MSG_TYPE_PEER_MAP2: >>> case HTT_T2H_MSG_TYPE_PEER_MAP3: >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info: %08X\n", le32_to_cpu(resp->peer_map_ev.info)); >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.mac_addr_l32: %08X\n", le32_to_cpu(resp->peer_map_ev.mac_addr_l32)); >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info1: %08X\n", le32_to_cpu(resp->peer_map_ev.info1)); >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info2: %08X\n", le32_to_cpu(resp->peer_map_ev.info2)); >>> break; >>> default: >>> break; >>> } >>> >>> Here is the result: >>> >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 >>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 >>> ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 >>> ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started >>> ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 >>> >>> Let me know if you see anything suspicious or if you need additional debug >>> information. >> >> I am not really sure about the final mac addr and vdev id passed to >> ath12k_dp_link_peer_map_event(), so can you also add print below? >> >> diff --git a/drivers/net/wireless/ath/ath12k/dp_peer.c >> b/drivers/net/wireless/ath/ath12k/dp_peer.c >> index 47d009a0d61f..3e8201d536a5 100644 >> --- a/drivers/net/wireless/ath/ath12k/dp_peer.c >> +++ b/drivers/net/wireless/ath/ath12k/dp_peer.c >> @@ -162,6 +162,9 @@ void ath12k_dp_link_peer_map_event(struct ath12k_base *ab, u8 vdev_id, >> u16 peer_ >> struct ath12k_dp *dp = ath12k_ab_to_dp(ab); >> struct ath12k *ar; >> >> + pr_info("peer map event: vdev_id %u peer_id %u mac_addr %pM ast_hash %u hw_peer_id >> %u\n", >> + vdev_id, peer_id, mac_addr, ast_hash, hw_peer_id); >> + >> spin_lock_bh(&dp->dp_lock); >> peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, vdev_id, mac_addr); >> if (!peer) { > > Sure, here is the output: > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 > peer map event: vdev_id 0 peer_id 2 mac_addr d902298bM ast_hash 5 hw_peer_id 757 what is d902298bM? are you using Linux? seems %pM is not properly formatted in your environment. > ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 > ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started > ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 > > > Best regards > Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian 2026-07-03 7:10 ` Baochen Qiang @ 2026-07-03 7:48 ` Alexander Wilhelm 0 siblings, 0 replies; 10+ messages in thread From: Alexander Wilhelm @ 2026-07-03 7:48 UTC (permalink / raw) To: Baochen Qiang; +Cc: Jeff Johnson, linux-wireless, ath12k, linux-kernel On Fri, Jul 03, 2026 at 03:10:23PM +0800, Baochen Qiang wrote: > > > On 7/3/2026 2:36 PM, Alexander Wilhelm wrote: > > On Fri, Jul 03, 2026 at 12:04:10PM +0800, Baochen Qiang wrote: > >> > >> > >> On 7/2/2026 8:06 PM, Alexander Wilhelm wrote: > >>> On Thu, Jul 02, 2026 at 05:56:01PM +0800, Baochen Qiang wrote: > >>>> > >>>> > >>>> On 7/2/2026 5:17 PM, Alexander Wilhelm wrote: > >>>>> On Thu, Jul 02, 2026 at 10:41:25AM +0200, Alexander Wilhelm wrote: > >>>>>> On Thu, Jul 02, 2026 at 04:12:00PM +0800, Baochen Qiang wrote: > >>>>>>> > >>>>>>> > >>>>>>> On 6/29/2026 3:55 PM, Alexander Wilhelm wrote: > >>>>>>>> The ath12k_dp_get_mac_addr function performs a simple memcpy from a > >>>>>>>> CPU-native data types into an u8 array. On a big-endian architecture, this > >>>>>>>> later results in a null‑pointer dereference. Convert the data to > >>>>>>> > >>>>>>> Alex, did you find a time to investigate the root cause of the null pointer? > >>>>> > >>>>> Hi Baochen, > >>>>> > >>>>> I am now running kernel v6.18.26, and it looks like the null-pointer issue is > >>>>> gone. I only see the following log messages: > >>>>> > >>>>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > >>>> > >>>> what is the actual mac addr reported from firmware in the PEER MAP event? My understanding > >>>> is that, without this patch (if we really need it) we get a wrong mac addr, then in > >>>> ath12k_dp_link_peer_map_event() we are more likely to fail the peer look up hence would > >>>> create a new peer and wakeup the waiting thread. But the log here clearly indicates that > >>>> the wait timeout, which does not make sense to me. > >> > >> I think I can understand the behavior here: even if wakeup happens, the waiter in > >> ath12k_wait_for_dp_link_peer_common() checks the map result by calling > >> ath12k_dp_link_peer_find_by_vdev_and_addr(). Since the mac addr of the newly created peer > >> does not match, check failed. Finally we get timeout. > >> > >>> > >>> I have now added the following debug output for `peer_map_ev` inside of > >>> `ath12k_dp_htt_htc_t2h_msg_handler`: > >>> > >>> /* DEBUG */ > >>> switch (type) { > >>> case HTT_T2H_MSG_TYPE_PEER_MAP: > >>> case HTT_T2H_MSG_TYPE_PEER_MAP2: > >>> case HTT_T2H_MSG_TYPE_PEER_MAP3: > >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info: %08X\n", le32_to_cpu(resp->peer_map_ev.info)); > >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.mac_addr_l32: %08X\n", le32_to_cpu(resp->peer_map_ev.mac_addr_l32)); > >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info1: %08X\n", le32_to_cpu(resp->peer_map_ev.info1)); > >>> ath12k_err(ab, "[DEBUG]: resp->peer_map_ev.info2: %08X\n", le32_to_cpu(resp->peer_map_ev.info2)); > >>> break; > >>> default: > >>> break; > >>> } > >>> > >>> Here is the result: > >>> > >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B > >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 > >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 > >>> ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 > >>> ath12k_pci 0001:01:00.0: failed to vdev 0 create peer for AP: -110 > >>> ath12k_pci 0001:01:00.0: failed to create vdev 04:f0:21:c9:e0:0e ret -110 > >>> ath12k_pci 0001:01:00.0: failed to assign chanctx for vif 04:f0:21:c9:e0:0e link id 0 link vif is already started > >>> ath12k_pci 0001:01:00.0: invalid vdev id in vdev delete resp ev 0 > >>> > >>> Let me know if you see anything suspicious or if you need additional debug > >>> information. > >> > >> I am not really sure about the final mac addr and vdev id passed to > >> ath12k_dp_link_peer_map_event(), so can you also add print below? > >> > >> diff --git a/drivers/net/wireless/ath/ath12k/dp_peer.c > >> b/drivers/net/wireless/ath/ath12k/dp_peer.c > >> index 47d009a0d61f..3e8201d536a5 100644 > >> --- a/drivers/net/wireless/ath/ath12k/dp_peer.c > >> +++ b/drivers/net/wireless/ath/ath12k/dp_peer.c > >> @@ -162,6 +162,9 @@ void ath12k_dp_link_peer_map_event(struct ath12k_base *ab, u8 vdev_id, > >> u16 peer_ > >> struct ath12k_dp *dp = ath12k_ab_to_dp(ab); > >> struct ath12k *ar; > >> > >> + pr_info("peer map event: vdev_id %u peer_id %u mac_addr %pM ast_hash %u hw_peer_id > >> %u\n", > >> + vdev_id, peer_id, mac_addr, ast_hash, hw_peer_id); > >> + > >> spin_lock_bh(&dp->dp_lock); > >> peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, vdev_id, mac_addr); > >> if (!peer) { > > > > Sure, here is the output: > > > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info: 0002002B > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.mac_addr_l32: C921F004 > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info1: FFFF0EE0 > > ath12k_pci 0001:01:00.0: [DEBUG]: resp->peer_map_ev.info2: 000502F5 > > peer map event: vdev_id 0 peer_id 2 mac_addr d902298bM ast_hash 5 hw_peer_id 757 > > what is d902298bM? are you using Linux? seems %pM is not properly formatted in your > environment. Sory. I got a typo while copy-and-paste. Here's the output: peer map event: vdev_id 0 peer_id 2 mac_addr c9:21:f0:04:0e:e0 ast_hash 5 hw_peer_id 757 Best regards Alexander Wilhelm ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-07-03 7:48 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-29 7:55 [PATCH RESEND] wifi: ath12k: fix MAC address copy on big endian Alexander Wilhelm 2026-07-02 8:12 ` Baochen Qiang 2026-07-02 8:41 ` Alexander Wilhelm 2026-07-02 9:17 ` Alexander Wilhelm 2026-07-02 9:56 ` Baochen Qiang 2026-07-02 12:06 ` Alexander Wilhelm 2026-07-03 4:04 ` Baochen Qiang 2026-07-03 6:36 ` Alexander Wilhelm 2026-07-03 7:10 ` Baochen Qiang 2026-07-03 7:48 ` Alexander Wilhelm
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox